Nftables Firewall Basis Konfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 91: | Zeile 91: | ||
=Wir Snaten= | =Wir Snaten= | ||
| + | *Wir müssen hier eine neue Tabelle anlegen | ||
| + | *Snat gehört zur nat-Tabelle | ||
| + | *Wir müssen das Paket verändern kurz vor dem verlassen des Rechners | ||
| + | *Der richtige Ort ist der postrouting Haken | ||
| + | #!/usr/sbin/nft -f | ||
| + | flush ruleset | ||
| + | define local_tcp_ports = { 22 } | ||
| + | define save_interfaces = { enp0s8, enp0s9, enp0s10 } | ||
| + | '''define wandev = enp0s3''' | ||
| + | '''define wanip = 192.168.6.100''' | ||
| + | '''define lan-nets = { 172.16.100.0/24 , 172.17.100.0/24 }''' | ||
| + | |||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new iif "lo" accept | ||
| + | ct state new tcp dport $local_tcp_ports accept | ||
| + | ct state new iif $save_interfaces accept | ||
| + | log prefix "--nftables-drop-input--" | ||
| + | } | ||
| + | |||
| + | chain forward { | ||
| + | type filter hook forward priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new iif $save_interfaces accept | ||
| + | log prefix "--nftables-drop-forward--" | ||
| + | } | ||
| + | chain output { | ||
| + | type filter hook output priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new accept | ||
| + | log prefix "--nftables-drop-output--" | ||
| + | } | ||
| + | |||
| + | } | ||
| + | table inet nat { | ||
| + | chain postrouting { | ||
| + | type nat hook postrouting priority srcnat; policy accept; | ||
| + | oif $wandev ip saddr $lan-nets snat ip to $wanip | ||
| + | } | ||
| + | } | ||
Version vom 28. Februar 2023, 16:41 Uhr
Die Basis Konfiguration
- Die Basiskonfiguration besagt das von der Firewall nach aussen alles erlaubt ist.
- Wir schalten hier auch noch den 22 Zugang frei.
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
}
}
Weiter gehts
- Wir schalten die lokalen Netze gegenseitig frei.
- So wie auch den Zugriff auf unsere Firewall
- In der Praxis sollte man das genau überlegen.
- Für unsere Übung ist das aber ok.
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
ct state new iif $save_interfaces accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $save_interfaces accept
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
}
}
Das Logging
- Kurz vor dem erreichen der Default Policy wird geloggt
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
ct state new iif $save_interfaces accept
log prefix "--nftables-drop-input--"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $save_interfaces accept
log prefix "--nftables-drop-forward--"
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
log prefix "--nftables-drop-output--"
}
}
Wir gucken
- tail -f /var/log/syslog | grep nft
Feb 28 17:30:09 firewall kernel: [ 2119.005002] --nftables-drop-input--IN=enp0s9 OUT= MAC=08:00:27:08:29:61:08:00:27:47:d1:33:08:00 SRC=172.16.100.151 DST=172.16.100.1 LEN=356 TOS=0x10 PREC=0xC0 TTL=64 ID=35132 PROTO=ICMP TYPE=3 CODE=3 [SRC=172.16.100.1 DST=172.16.100.151 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=308 ]
Wir Snaten
- Wir müssen hier eine neue Tabelle anlegen
- Snat gehört zur nat-Tabelle
- Wir müssen das Paket verändern kurz vor dem verlassen des Rechners
- Der richtige Ort ist der postrouting Haken
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
define wandev = enp0s3
define wanip = 192.168.6.100
define lan-nets = { 172.16.100.0/24 , 172.17.100.0/24 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
ct state new iif $save_interfaces accept
log prefix "--nftables-drop-input--"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $save_interfaces accept
log prefix "--nftables-drop-forward--"
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
log prefix "--nftables-drop-output--"
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oif $wandev ip saddr $lan-nets snat ip to $wanip
}
}